ci: 배포후 downtime 0로 변경 (health check 추가)

Darren4641 · Darren4641 · commit 76224ac68f8f · 2026-01-05T21:01:46.000+09:00
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
@@ -99,32 +99,50 @@ jobs:
                }' \
                ${{ secrets.DISCORD_WEBHOOK_URL }}
 
-      - name: Deploy to K3s (On-premise)
+      - name: Deploy to K3s (On-premise) with Zero-Downtime
+        id: deploy
         uses: appleboy/ssh-action@v1.0.3
         with:
           host: ${{ secrets.SSH_HOST }}
           username: ${{ secrets.SSH_USER }}
           password: ${{ secrets.SSH_PASSWORD }}
           port: ${{ secrets.SSH_PORT }}
           script: |
-            echo "🚀 Starting deployment to K3s..."
+            echo "🚀 Starting Zero-Downtime deployment to K3s..."
 
             # K3s deployment 디렉토리로 이동
             cd /home/yapp/k3s/staging
 
-            # 이미지 태그 업데이트 (deployment.yaml에서 이미지 태그 변경)
-            sed -i "s|image: .*yapp-staging:.*|image: ${{ secrets.DOCKER_USERNAME }}/yapp-dev:${{ steps.version.outputs.version }}-${{ steps.version.outputs.short_sha }}|g" deployment.yaml
+            # 현재 실행 중인 이미지 확인
+            CURRENT_IMAGE=$(kubectl get deployment yapp-app-staging -n staging -o jsonpath='{.spec.template.spec.containers[0].image}' 2>/dev/null || echo "none")
+            echo "📌 Current image: $CURRENT_IMAGE"
 
-            # K3s에 배포 적용
-            kubectl apply -f deployment.yaml
-
-            # Pod 강제 재시작 (새 이미지 pull 보장)
-            kubectl rollout restart deployment/yapp-app-staging -n staging
+            # 이미지 태그 업데이트
+            NEW_IMAGE="${{ secrets.DOCKER_USERNAME }}/yapp-dev:${{ steps.version.outputs.version }}-${{ steps.version.outputs.short_sha }}"
+            echo "📦 New image: $NEW_IMAGE"
+            sed -i "s|image: .*yapp-dev:.*|image: $NEW_IMAGE|g" deployment.yaml
 
-            # 배포 상태 확인
-            kubectl rollout status deployment/yapp-app-staging -n staging --timeout=5m
+            # K3s에 배포 적용 (Rolling Update 자동 실행)
+            echo "🔄 Applying deployment... Rolling update will start automatically"
+            kubectl apply -f deployment.yaml
 
-            echo "✅ Deployment completed successfully!"
+            # 배포 상태 확인 (새 파드가 완전히 준비될 때까지 대기)
+            echo "⏳ Waiting for new pods to be ready..."
+            if kubectl rollout status deployment/yapp-app-staging -n staging --timeout=10m; then
+              echo "✅ Rollout completed successfully!"
+
+              # 배포된 파드 정보 확인
+              echo "📊 Pod status:"
+              kubectl get pods -n staging -l app=yapp-app-staging
+
+              # 최종 이미지 확인
+              DEPLOYED_IMAGE=$(kubectl get deployment yapp-app-staging -n staging -o jsonpath='{.spec.template.spec.containers[0].image}')
+              echo "✅ Deployment completed! Deployed image: $DEPLOYED_IMAGE"
+            else
+              echo "❌ Rollout failed or timed out!"
+              kubectl get pods -n staging -l app=yapp-app-staging
+              exit 1
+            fi
 
       - name: Discord notification - Deployment success
         if: success()
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -45,6 +45,7 @@ dependencies {
     // Spring Boot
     implementation("org.springframework.boot:spring-boot-starter-web")
     implementation("org.springframework.boot:spring-boot-starter-validation")
+    implementation("org.springframework.boot:spring-boot-starter-actuator")
 
     // Kotlin
     implementation("com.fasterxml.jackson.module:jackson-module-kotlin")
diff --git a/src/main/kotlin/com/yapp2app/auth/infra/security/config/SecurityConfig.kt b/src/main/kotlin/com/yapp2app/auth/infra/security/config/SecurityConfig.kt
@@ -17,8 +17,19 @@ import org.springframework.web.cors.CorsConfigurationSource
 @EnableWebSecurity
 class SecurityConfig(private val corsConfigurationSource: CorsConfigurationSource) {
 
+    /**
+     * Actuator Health Check 엔드포인트 보안 설정 (Kubernetes Probe용)
+     */
     @Bean
     @Order(0)
+    fun actuatorSecurityFilterChain(http: HttpSecurity): SecurityFilterChain =
+        http.securityMatcher("/actuator/health/**")
+            .csrf { it.disable() }
+            .authorizeHttpRequests { it.anyRequest().permitAll() }
+            .build()
+
+    @Bean
+    @Order(1)
     fun documentSecurityFilterChain(http: HttpSecurity): SecurityFilterChain =
         http.securityMatcher("/swagger-ui/**", "/v3/api-docs/**")
             .csrf { it.disable() }
@@ -28,7 +39,7 @@ class SecurityConfig(private val corsConfigurationSource: CorsConfigurationSourc
             .build()
 
     @Bean
-    @Order(1)
+    @Order(2)
     fun apiSecurityFilterChain(
         http: HttpSecurity,
         jwtAuthenticationFilter: JwtAuthenticationFilter,
diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
@@ -7,6 +7,25 @@ spring:
 springdoc:
   override-with-generic-response: false
 
+# Spring Boot Actuator 설정 (Health Check for Kubernetes)
+management:
+  endpoints:
+    web:
+      exposure:
+        include: health,info
+      base-path: /actuator
+  endpoint:
+    health:
+      probes:
+        enabled: true
+      show-details: when-authorized
+  health:
+    livenessstate:
+      enabled: true
+    readinessstate:
+      enabled: true
+
+
 aws:
   s3:
     access-key: ${AWS_S3_ACCESS_KEY:}
